Sounds like the premise of a Black Mirror episode.
by Tyler DurdenThu, 12/20/2018 – 11:55
Amazon accidentally sent the wrong person approximately 1,700 audio files and a PDF containing transcripts of intimate conversations – all recorded over the company’s in-home echo assistant.
In August 2018, a German Amazon customer took advantage of the EU’s General Data Protection Regulation (GDPR) to request whatever personal data Amazon had on file about him. Several months later, he received a link to download a 100MB ZIP file, according to German news outlet Heise.
About 50 of the zipped files contained data relating to everyday things like Amazon searches, but there were also around 1,700 WAV files and a PDF cataloging unsorted transcripts of Alexa’s interpretations of his voice commands. Schneider was extremely surprised to find these files as he doesn’t use Alexa and doesn’t own any Alexa-enabled devices. He listened to some random sample files but didn’t recognize any of the voices they contained. –Heise
The man emailed Amazon on November 8 to notify them that they had sent the wrong customer’s information, asking who they belonged to. When he hit a dead end, he contacted German computer magazine c’t – feeling that the victim should be found and informed about the data breach which covered the entire month of May.
We asked him to send us some of the files (confidentially of course) so that we could get an idea of what they contained. They enabled us to piece together a detailed picture of the customer concerned and his personal habits. It was obvious that ‘Customer X’ uses Alexa in multiple locations. He has at least one Echo at home and has a voice-controlled Fire box connected to his TV. A female voice also spoke to Alexa, so there was clearly a woman around at least some of the time. -c’t via Heise
The Alexa device was able to hear the customer in the shower – as well as commands given to thermostats and other smart devices around the house. The man used Alexa at home, on his smartphone and when he is out and about.
We were able to navigate around a complete stranger’s private life without his knowledge, and the immoral, almost voyeuristic nature of what we were doing got our hair standing on end. The alarms, Spotify commands, and public transport inquiries included in the data revealed a lot about the victims’ personal habits, their jobs, and their taste in music. -c’t via Heise
The investigative team was able to quickly identify the customer and his female companion based on first names, last names, weather queries and other information which led them to public data from Facebook and Twitter. When they could not find any contact information for the customer, the c’t investigators asked Twitter to request that the victim contact them – which they did. The victim immediately called back, and was “audibly shocked” when they revealed what Amazon had accidentally sent to a stranger. The man confirmed that the investigators had correctly identified his girlfriend, and then began running through everything he and his friends asked Alexa – wondering what secrets they may have revealed.
Click on the link for the rest.